CVE-2019-3396
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Description
The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
Analysis
Atlassian Confluence Server Widget Connector macro contains a path traversal and server-side template injection vulnerability enabling unauthenticated remote code execution through crafted URLs.
Technical Context
The CWE-22 path traversal in the Widget Connector's URL parameter allows injection of server-side template directives. The Velocity template engine processes the injected code, enabling execution of arbitrary Java methods and OS commands on the Confluence server.
Affected Products
['Atlassian Confluence Server before 6.6.12', 'Atlassian Confluence Server 6.7.0 before 6.12.3', 'Atlassian Confluence Server 6.13.0 before 6.13.3', 'Atlassian Confluence Server 6.14.0 before 6.14.2']
Remediation
Upgrade Confluence Server immediately. Restrict external access to Confluence. Disable the Widget Connector macro if not needed. Check for signs of compromise including cryptominers and web shells.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today